Metaplay Docs

Appearance

GDPR Compliance

This section outlines how to use and customize the built-in General Data Protection Regulation (GDPR) data exporting features for easy compliance with player data requests.

Key Concepts

  • GDPR is an EU data privacy and security law that most game companies need to and/or choose to comply with. It sets a baseline for how a player's data must be treated.

    What is GDPR, the EU's new data protection law? - GDPR.eu

  • Personal Data is protected under the law and in the context of games generally covers anything identifiable to a particular player, like their game state. It must be kept safe and handled in a confidential manner as outlined in your company's terms of service.

Responding to Personal Data Requests

Sometimes a player might ask for a copy of their Personal Data. The easiest way to do this is to access the player in the LiveOps Dashboard and use the GDPR Export button. This opens a preview of a specially filtered down version of the PlayerModel that has non-player-facing members like random seeds stripped away for both legibility and security.

A preview of what will be included in the generated export.

Pressing "download" will give you a .json file that you can forward as an attachment or otherwise hand out to the player in whatever way makes the most sense in your customer support workflows.

Excluding Data from the Export

Not all members of your PlayerModel are Personal Data, or more to the point, useful to the player. Additionally, handing out certain fields like random seeds might even make it possible for the players to cheat by knowing what they will get next from loot tables. It is a good practice to exclude these from the data exports by declaring them with the ExcludeFromGdprExport attribute.

Code example of adding attributes to MetaMembers in your PlayerModel:

C#
// Snippet from PlayerModel.cs
[MetaMember(10)] public PlayerAvatar Avatar { get; set; } // Included.
[MetaMember(11), ExcludeFromGdprExport] public RandomPCG Random { get; set; } // Excluded.
[MetaMember(12), NoChecksum] public PlayerStatisticsCore Stats { get; private set; } = new PlayerStatistics(); // Included.

Personal Data Outside of PlayerModel

While it is easy for us to provide you a clean export of a player's Personal Data based on their PlayerModel, we cannot automatically do the same to other systems and tools you might be using to log and process Personal Data, such as game analytics*.* As you customize Metaplay and continue to build your game, please pay careful attention to note where Personal Data is stored (including server logs if you print player details there in production!) and handle them appropriately.

Players "Right to be Forgotten"

Under "The Right to be Forgotten", a player can ask for their personal data to be deleted. We comply with this request by resetting their player state to remove all personally identifiable information. Player deletion can be performed by a Customer Service Agent through the LiveOps Dashboard or, if you choose to enable it, in-game by the player themself. This topic is discussed in more detail in Working with Player Deletion.